when a user is prompted to change their password (because it has expired) and they enter their new details.

When they hit the [Return] button the APEX Designer login screen is displayed (/apex/f?p=4550). The screen that displays the fields to allow a developer to enter the; Workspace Name, User Name and Password.

This is a security issue for us, as our application is used by external clients.

We performed initial investigations and thought this issue may occurred when the APEX Application Build status is Run And Build Application, and the user is prompted to change their password. In this scenario if the user enters the new password details and selects the [Return] button the APEX Designer screen is displayed.

We’ve found that an external client received the APEX Designer login screen after changing the password when the APEX Application Build Status was Run Application Only.

when an application with APEX authentication requires a password change, it navigates to the change password page 4155:50. It also passes the application's home link as deep link, so the change password page knows where to redirect to, when you hit [Return]. I have never heard of a case where this redirects to 4550:1. Can you please post the exact page flows (app id : page id) for this interaction?

Btw, for internet facing systems, you should really consider using a runtime only installation. This significantly reduces the available interfaces. In your scenario, it is trivial for an external client (or an attacker who maybe scanned IP ranges and found your server) to directly navigate to the APEX login page and make some login attempts.

I meant that an internet facing site maybe should not have the APEX development environment installed at all. You can just install the runtime components of APEX, to remove attack vectors.

Intermittent issues are always tricky to diagnose. How often does this happen? Are you seeing anything suspicious in the web server logs? Speaking of web server, what are you using? A bug can never be ruled out, but I suspect that there is a configuration issue somewhere. If you have a support contract, I suggest that you open a service request. You could give login credentials of your app to support, to let them diagnose the issue.